Skip to main content
plushi
plushi
New Member
October 3, 2024
Solved

FortiAP 221E Broadcasts signal but has no internet connection

  • October 3, 2024
  • 5 replies
  • 5542 views

I've been having issues getting my AP to work while building my network. I have a Fortigate 40F connected to a Fortiswitch 108F connected to a a FortiAP 221E. The Fortigate is running 6.4.15 and the AP is running 6.0. The AP shows up in the Wifi/Switch controller > Managed FortiAPs and shows that it is online. Its broadcasting the SSID I setup, but when I connect to it, it shows connected with no wifi. It also has a VLAN with a manual IP config.

I'm confused and need help, would anyone know why this would be doing this?

Also does anyone know how to delete VLANS, its not giving me the option to delete them. I want to try and put them on the fortigate instead of the switch

Best answer by laltuzar

Can FortiGate reach out internet (simply ping 8.8.8.8)?

If so, you can try to follow the steps from this guide to set up your SSID's users to reach internet: LAN Edge Deployment Guide

5 replies

Brunn3r
Brunn3r
Explorer II
October 3, 2024

Is the Wifi SSID in Bridged mode? if yes, did you configure the VLAN id as allowed on the switchport, where the FortiAP is connected to? What VLAN id do you use? there are a few IDs that are reserved by Fortinet for internal purposes (see release notes).

plushi
plushiAuthor
New Member
October 3, 2024

The Wifi SSID is in Tunnel mode with HTTPS SSH PING and Security fabric connect checked. The AP is connected the the switch at port one. In fortiswitch ports, VLAN 20 is a native VLAN. 

I just tried putting the VLAN on the allowed list instead of the native list and it made the AP 2.5 and 5 ghz light turn off

I think I should also mention I have a red! stating I am unable to connect to Fortiguard servers

ebilcari
Staff
ebilcari
Staff
October 3, 2024

If the AP is online (VLAN 20) and you are using tunneled SSID you don't need to change VLAN configuration on the switch port where the AP is connected. The user traffic will be tunneled to the FGT and the switch is not aware of other subnets/VLANs. You need to configure an IP network and a DHCP server for the WiFi users under SSID configuration:

test-ssid.PNG

and also create a firewall policy that allows internet access from the SSID as 'Incoming Interface'.

Emirjon
jhussain_FTNT
Staff
jhussain_FTNT
Staff
October 3, 2024

Hi

Have you configured firewall policy to allow traffic from SSID interface to wan interface.

You can run the below debug logs and check the traffic is allowing by firewall policy

 diag debug flow filter addr x.x.x.x  ---where x.x.x.x is the IP address of client

 diag debug flow show function-name enable

 diag debug console timestamp enable

 diag debug flow trace start 100

diag debug enable  

 

Also i would suggest to configure the DHCP server in the ssid and check the client is receiving the IP address.  

 

Regards

Jamal

plushi
plushiAuthor
New Member
October 3, 2024

I replied in the comment below

plushi
plushiAuthor
New Member
October 3, 2024

I can't connect to the CLI of the AP (no power cable) itself but I tried running those commands in the fortigate CLI and it wasnt going through.

Theres a Wifi Firewall policy.
Incoming interface: The wifi network
Outgoing interface: SD WAN zone (WAN port on fortigate)
Source: Wifi Address
Destination: all
Service: All

Policy for VLAN 20 
Incoming Int: VLAN 20
Outgoing int: SD wan zone
Source: VLAN 20 wifi address
Destination: All
Service: All

I just configuered the  SSID IP/Netmask so its in the same subnet instead of being 0.0.0.0/0.0.0.0

 

When I connect to the AP and it shows connected but no internet, my computer does not recieve the IP address the the AP recieves my computers IP

 

laltuzar
Staff
laltuzar
Staff
October 3, 2024

By the way, if you can't connect to the AP but it is online, you may reach it via SSH. You just need to enable the access via SSH: Technical Tip: How to enable SSH access to FortiAP managed by FortiGate

laltuzar
Staff
laltuzarAnswer
Staff
October 3, 2024

Can FortiGate reach out internet (simply ping 8.8.8.8)?

If so, you can try to follow the steps from this guide to set up your SSID's users to reach internet: LAN Edge Deployment Guide

plushi
plushiAuthor
New Member
October 3, 2024

No, the fortigate cannit ping to 8.8.8.8 I wonder why? Thats prob the issue

 

laltuzar
Staff
laltuzar
Staff
October 3, 2024

Yeah, you must check that first. You can try to use Policy lookup to see if you FortiGate is sending the traffic to the implicit deny or matching with any . See Policy views and policy lookup From previous replies I believe the policies are well configured, but if FG does not reach the internet, we cannot expect the SSID to do so.

As of now, I would think the issue would no longer remain on FortiAP-WLC configuration, but rather on SD-WAN configurations.

Terms & ConditionsAccessibility statement